WO2024094072A1 - 信息传输方法、装置、网络节点及存储介质 - Google Patents

信息传输方法、装置、网络节点及存储介质 Download PDF

Info

Publication number
WO2024094072A1
WO2024094072A1 PCT/CN2023/129104 CN2023129104W WO2024094072A1 WO 2024094072 A1 WO2024094072 A1 WO 2024094072A1 CN 2023129104 W CN2023129104 W CN 2023129104W WO 2024094072 A1 WO2024094072 A1 WO 2024094072A1
Authority
WO
WIPO (PCT)
Prior art keywords
network node
information
controller
network
sent
Prior art date
Application number
PCT/CN2023/129104
Other languages
English (en)
French (fr)
Inventor
陈美玲
Original Assignee
中国移动通信有限公司研究院
中国移动通信集团有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中国移动通信有限公司研究院, 中国移动通信集团有限公司 filed Critical 中国移动通信有限公司研究院
Publication of WO2024094072A1 publication Critical patent/WO2024094072A1/zh

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/02Topology update or discovery
    • H04L45/04Interdomain routing, e.g. hierarchical routing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/14Routing performance; Theoretical aspects
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Definitions

  • the present application relates to the field of network technology, and in particular to an information transmission method, device, network node and storage medium.
  • the embodiments of the present application provide an information transmission method, device, network node and storage medium.
  • the embodiment of the present application provides an information transmission method, which is applied to a first network node in a first autonomous system (AS), and the method includes:
  • the first information represents the security capabilities of all network nodes in the corresponding AS.
  • the first information is carried in a prefix of the Border Gateway Protocol-Link State (BGP-LS) protocol for transmission.
  • Border Gateway Protocol-Link State BGP-LS
  • the method further comprises:
  • the first information corresponding to the second AS is disassembled to obtain the second information corresponding to each network node in the second AS;
  • the second information represents the security capability of the corresponding network node.
  • the method further comprises:
  • the method further comprises:
  • the first information is sent to a first controller;
  • the first information is used by the first controller to disassemble and obtain second information corresponding to each network node in the second AS; the second information represents the security capability of the corresponding network node.
  • the method further comprises:
  • the second information represents the security capabilities of other network nodes.
  • the second information is carried in a node of the BGP-LS protocol and transmitted.
  • the embodiment of the present application further provides an information transmission method, which is applied to a first controller; the first controller is directly connected to a first network node in a first AS; the method comprises:
  • the first information represents the security capabilities of all network nodes in the corresponding AS; the second information represents the security capabilities of the corresponding network nodes.
  • the method further comprises:
  • second information corresponding to each network node in the first AS and/or at least one second AS is obtained by disassembling.
  • the first information is carried in a prefix of a BGP-LS protocol and transmitted; and/or the second information is carried in a node of a BGP-LS protocol and transmitted.
  • the method further comprises:
  • the second controller represents the head node of a segment routing IPv6 (SRv6) tunnel; the first path strategy is generated based on second information corresponding to each network node in the first AS and/or at least one second AS.
  • SRv6 segment routing IPv6
  • the method further comprises:
  • the present application also provides an information transmission device, including:
  • a first receiving unit is configured to receive first information corresponding to a second AS sent by a second network node in the second AS; or,
  • the first sending unit is configured to send first information corresponding to the first AS to the second network node; wherein:
  • the first information represents the security capabilities of all network nodes in the corresponding AS.
  • the present application also provides an information transmission device, including:
  • a second receiving unit is configured to receive first information of a first AS and/or at least one second AS sent by a first network node; and/or,
  • the third receiving unit is configured to receive second information corresponding to each network node in the first AS and/or at least one second AS sent by the first network node;
  • the first information represents the security capabilities of all network nodes in the corresponding AS; the second information represents the security capabilities of the corresponding network nodes.
  • the embodiment of the present application further provides a first network node, which is located in a first AS and includes: a first communication interface; wherein:
  • the first communication interface is used to receive first information corresponding to the second AS sent by a second network node in the second AS; or to send first information corresponding to the first AS to the second network node;
  • the first information represents the security capabilities of all network nodes in the corresponding AS.
  • the embodiment of the present application further provides a first controller, which is directly connected to a first network node in a first AS, and includes: a second communication interface; wherein:
  • the second communication interface is used to receive first information of the first AS and/or at least one second AS sent by the first network node; and/or, to receive second information corresponding to each network node in the first AS and/or at least one second AS sent by the first network node;
  • the first information represents the security capabilities of all network nodes in the corresponding AS; the second information represents the security capabilities of the corresponding network nodes.
  • the embodiment of the present application further provides a first network node, comprising: a processor and a memory for storing a computer program that can be run on the processor,
  • the processor when used to run the computer program, it executes the steps of any one of the above-mentioned methods on the first network node side.
  • the embodiment of the present application further provides a first controller, comprising: a processor and a memory for storing a computer program that can be run on the processor,
  • the processor is used to execute the steps of any one of the above-mentioned methods on the first controller side when running the computer program.
  • An embodiment of the present application further provides a storage medium having a computer program stored thereon, wherein when the computer program is executed by a processor, the computer program implements the steps of any of the above-mentioned methods on the first network node side, or implements the steps of any of the above-mentioned methods on the first controller side.
  • a first network node in a first AS receives first information corresponding to a second AS sent by a second network node in a second AS; or, the first network node in the first AS sends first information corresponding to the first AS to the second network node; wherein the first information represents the security capabilities of all network nodes in the corresponding AS, so that through a network node in any one of multiple ASs, cross-domain collection of security capabilities of all network nodes in multiple ASs can be achieved, and the security capability-related information collected across domains can be reported to the upper-level controller of the AS. Based on this, the upper-level controller can formulate a path strategy with secure routing capabilities to meet network security requirements.
  • FIG1 is a schematic diagram of a network structure applicable to an information transmission method according to an embodiment of the present application.
  • FIG2 is a schematic diagram of an implementation flow of an information transmission method according to an embodiment of the present application.
  • FIG3 is a schematic diagram showing the implementation principle of an information disassembly method according to an embodiment of the present application.
  • FIG4 is a schematic diagram showing the implementation principle of another information disassembly method according to an embodiment of the present application.
  • FIG5 is a schematic diagram of an implementation flow of another information transmission method according to an embodiment of the present application.
  • FIG6 is a schematic diagram of path strategy delivery according to an embodiment of the present application.
  • FIG7 is a schematic diagram of the structure of an information transmission device according to an embodiment of the present application.
  • FIG8 is a schematic diagram of the structure of another information transmission device according to an embodiment of the present application.
  • FIG9 is a schematic diagram of a first network node structure according to an embodiment of the present application.
  • FIG. 10 is a schematic diagram of the structure of a first controller according to an embodiment of the present application.
  • a first network node in a first AS receives first information corresponding to a second AS sent by a second network node in a second AS; or, a first network node in a first AS sends first information corresponding to the first AS to the second network node; wherein the first information represents the security capabilities of all network nodes in the corresponding AS, so that, through a network node in any one of the multiple ASs, it is possible to implement security capabilities of all network nodes in the multiple ASs.
  • the security capabilities of network nodes are collected across domains, and the security capability-related information collected across domains is reported to the upper-level controller of the AS. Based on this, the upper-level controller can formulate a path strategy with secure routing capabilities to meet network security requirements.
  • FIG1 shows a schematic diagram of a network structure applicable to the information transmission method of an embodiment of the present application.
  • network nodes A, B, and C belong to AS 100
  • network nodes D, E, F, and G belong to AS 200
  • at least one network node is configured as a super node, such as network node A in AS 100 and network node E in AS 200, which are responsible for collecting security capabilities of other network nodes in their respective ASs.
  • each super node can be understood as a router, and other network nodes in the same AS as the super node can be understood as other network devices attached to the router.
  • AS 100 and AS 200 there may be other ASs.
  • each AS only the super node can have the ability to communicate with the controller to which the AS belongs, and report the collected security capabilities to the corresponding controller; or the super node can have the ability to communicate across domains, and transmit the collected security capabilities across domains to the super nodes in other ASs.
  • other network nodes in each AS are not directly connected to the controller to which the AS belongs, and cannot achieve cross-domain communication. They need to transmit information representing their respective security capabilities to the super nodes in this AS.
  • network node A is connected and communicates with controller Alice.
  • Network node A is responsible for collecting the security capabilities of network nodes B and C in AS 100 and reporting the collected security capabilities to controller Alice.
  • Direct communication is not supported between network nodes B and C and controller Alice.
  • Network node E is connected and communicates with controller Bob.
  • Network node E is responsible for collecting the security capabilities of network nodes D, F, and G in AS 200 and reporting the collected security capabilities to controller Bob.
  • Direct communication is not supported between network nodes D, F, and G and controller Bob.
  • network node A is connected and communicates with controller Alice.
  • Network node A is responsible for collecting the security capabilities of network nodes B and C in AS 100 and reporting the collected security capabilities to controller Alice.
  • Direct communication is not supported between network nodes B and C and controller Alice.
  • AS 200 also belongs to controller Alice, but network node E is not connected to controller Alice. Instead, it is responsible for collecting the security capabilities of network nodes D, F, and G in AS 200 and transmitting the collected security capabilities across domains to network node A.
  • Network node A then reports the security capabilities of network nodes in AS 200 to controller Alice. Direct communication is not supported between network nodes D, F, and G and controller Bob.
  • controller Alice and/or controller Bob generates a path strategy based on the collected security capabilities of network nodes.
  • the generated path strategy has a secure routing capability and can meet network security requirements.
  • controller Admin is configured above controllers Alice and Bob, responsible for collecting security capabilities of network nodes in the entire domain of AS 100 and AS 200. In this way, controller Admin generates a path policy based on the collected security capabilities of network nodes.
  • the BGP-LS protocol can be used to realize the transmission of security capabilities.
  • the BGP-LS protocol can be used to collect network topology related information.
  • the routing and calculation capabilities of BGP are utilized to carry nodes, links, and routing prefixes respectively through three types of BGP-LS routes, so as to summarize the topology information discovered by the Interior Gateway Protocol (IGP) and upload it to the upper network node.
  • IGP Interior Gateway Protocol
  • the above three types of BGP-LS routes cooperate with each other to complete the transmission of topology information.
  • node routing is used to record the node information of the topology
  • link routing is used to record the link information between two devices
  • address prefix routing is used to record the network segment information reachable by the node.
  • the network topology related information collected by the BGP-LS protocol is described as Network Layer Reachability Information (NLRI) using a triplet (TLV, Type-Length-Value) format.
  • NLRI Network Layer Reachability Information
  • TLV Type-Length-Value
  • BGP-LS is extended so that the information transmitted based on the BGP-LS protocol can carry the security capabilities of network nodes.
  • the transmission of the security capabilities of the network nodes is realized.
  • the "AS security capabilities" field is added to the prefix, and the field length is variable.
  • the field value of the field is obtained by splicing the information representing the security capabilities of different network nodes.
  • the field value can be ⁇ [IP address of network node A + node security capabilities], [IP address of network node B (B) + node security capabilities]... ⁇ .
  • network nodes within the same AS can upload their own security capabilities to the super node in the AS.
  • the super node can report the collected security capabilities to the controller to which the AS belongs, or transmit the collected security capabilities to super nodes in other ASs.
  • the controller can also further process the received security capabilities based on BGP-LS, or forward the received security capabilities to other controllers for further processing.
  • the embodiment of the present application provides an information transmission method, which is applied to a first network node in a first AS.
  • the first network node can be understood as a super node in the first AS.
  • the method includes:
  • Step 201 receiving first information corresponding to a second AS sent by a second network node in a second AS; or sending first information corresponding to the first AS to the second network node.
  • the first information represents the security capabilities of all network nodes in the corresponding AS.
  • the first network node is responsible for collecting security capabilities of all network nodes in the first AS.
  • the method further comprises:
  • the second information represents the security capability of the corresponding network node.
  • the first controller can be understood as other network nodes in the first AS except the first network node.
  • the second information is carried in the node of the BGP-LS protocol for transmission.
  • the first network node can send the collected security capabilities across domains to the second network node, where the second network node is a super node in the second AS; or, the first network node can receive the security capabilities of all network nodes in the second AS sent across domains by the second network node.
  • the first information is carried in a prefix of the BGP-LS protocol for transmission.
  • a field is added to the prefix, the field length is variable, and the field value of the field is obtained by concatenating information representing security capabilities of different network nodes.
  • the method when the first network node receives first information corresponding to the second AS sent by the second network node, the method further includes:
  • the first information corresponding to the second AS is disassembled to obtain second information corresponding to each network node in the second AS.
  • the second information represents the security capability of the corresponding network node.
  • the first information corresponding to an AS is obtained by splicing the information representing the security capabilities of all network nodes in the AS. Therefore, here, after receiving the first information corresponding to the second AS sent by the second network node, the first network node needs to disassemble the first information to obtain the security capabilities of each network node respectively.
  • the method further comprises:
  • the first controller is a controller directly connected to the first network node, that is, a controller to which the first AS belongs.
  • the first network node sends the security capability corresponding to each network node in the first AS to the first controller, and/or the first network node disassembles the first information corresponding to the second AS, obtains the security capability corresponding to each network node in the second AS, and sends the security capability corresponding to each network node in the second AS to the first controller.
  • network node A has the ability to disassemble the first information, and transmits the security capabilities of the global network nodes of an AS to network node A.
  • Network node A disassembles the security capabilities of each network node in the AS and sends the disassembled security capabilities to the controller Alice.
  • the method further comprises:
  • the first information is sent to a first controller.
  • the first information is used by the first controller to disassemble and obtain second information corresponding to each network node in the second AS; the second information represents the security capability of the corresponding network node.
  • the first controller directly connected to the first network node has the capability of disassembling the first information.
  • the first network node sends the first information to the first controller, and the first controller disassembles the first information to obtain the security capability of each network node in the AS.
  • the controller Alice has the ability to disassemble the first information. After the network node A receives the security capability of the global network node of an AS, it directly transmits the security capability of the global network node of the AS to the controller Alice. Alice disassembles the AS to obtain the security capabilities of each network node in the AS.
  • the embodiment of the present application provides an information transmission method, which is applied to a first controller to which a first AS belongs, and the first controller is directly connected to a first network node in the first AS. As shown in FIG5 , the method includes:
  • Step 501 Receive first information of the first AS and/or at least one second AS sent by the first network node; and/or receive second information corresponding to each network node in the first AS and/or at least one second AS sent by the first network node.
  • the first information represents the security capabilities of all network nodes in the corresponding AS; and the second information represents the security capabilities of the corresponding network nodes.
  • the method further includes:
  • second information corresponding to each network node in the first AS and/or at least one second AS is obtained by disassembling.
  • the first network node When the first network node supports the disassembly capability of the first information, the first network node sends the security capability corresponding to each network node in the first AS to the first controller, and/or the first network node disassembles the first information corresponding to the second AS, obtains the security capability corresponding to each network node in the second AS, and sends the security capability corresponding to each network node in the second AS to the first controller.
  • the first information is carried in a prefix of a BGP-LS protocol and transmitted; and/or the second information is carried in a node of a BGP-LS protocol and transmitted.
  • the controller is responsible for generating the path strategy.
  • the controller generates a path strategy based on the collected security capabilities of the network nodes, so that a path strategy with secure routing capabilities can be formulated.
  • the controller to which the AS belongs can directly send the generated path strategy to the head node of the SRv6 tunnel; or, the upper-level controller can generate the path strategy, and send the generated path strategy to the controller to which the AS belongs, and then the controller to which the AS belongs sends the path strategy to the head node of the SRv6 tunnel; or, the upper-level controller can generate the path strategy, and send the generated path strategy directly to the head node of the SRv6 tunnel.
  • the method further includes:
  • the first path policy is sent to the second controller.
  • the second controller represents the head node of the SRv6 tunnel; and the first path strategy is generated based on second information corresponding to each network node in the first AS and/or at least one second AS.
  • the path policy is sent from the controller to which the AS belongs to the head node of the SRv6 tunnel.
  • the path policy can be generated by the controller to which the AS belongs, or it can be generated by the upper layer controller of the controller to which the AS belongs.
  • the controller generates the message and sends it from the upper-layer controller to the controller to which the AS belongs.
  • the method further includes:
  • the information transmitted based on the BGP-LS protocol can carry the security capability related information of all network nodes in the AS, and the information is collected by the super node in the AS, and the collected information can be transmitted across domains.
  • the super node or controller disassembles the information to obtain the security capability of each network node in the AS, thereby generating a path strategy with routing security capability, meeting the needs of network security.
  • the embodiment of the present application further provides an information transmission device, which is arranged on the first network node. As shown in FIG. 7 , the device includes:
  • the first receiving unit 701 is configured to receive first information corresponding to the second AS sent by a second network node in the second AS; or,
  • the first sending unit 702 is configured to send first information corresponding to the first AS to the second network node; wherein:
  • the first information represents the security capabilities of all network nodes in the corresponding AS.
  • the first information is carried in a prefix of the BGP-LS protocol for transmission.
  • the device further comprises:
  • the first disassembling unit is used to disassemble the first information corresponding to the second AS to obtain the second information corresponding to each network node in the second AS;
  • the second information represents the security capability of the corresponding network node.
  • the device further comprises:
  • the second sending unit is configured to send second information corresponding to each network node in the first AS and/or the second AS to the first controller.
  • the device further comprises:
  • the third sending unit is used to send the first information to the first controller; wherein,
  • the first information is used by the first controller to disassemble and obtain second information corresponding to each network node in the second AS; the second information represents the security capability of the corresponding network node.
  • the device further comprises:
  • the fourth receiving unit is used to receive the second information uploaded by the first controller in the first AS; wherein,
  • the second information represents the security capability of the corresponding network node.
  • the second information is carried in a node node of the BGP-LS protocol for transmission.
  • the first receiving unit 701, the first sending unit 702, the second sending unit, the third sending unit and the fourth receiving unit can be implemented by a communication interface in the information transmission device;
  • the first disassembling unit can be implemented by a processor in the information transmission device.
  • the embodiment of the present application further provides an information transmission device, which is arranged on the first controller. As shown in FIG8 , the device includes:
  • the second receiving unit 801 is configured to receive first information of the first AS and/or at least one second AS sent by the first network node; and/or,
  • the third receiving unit 802 is configured to receive second information corresponding to each network node in the first AS and/or at least one second AS sent by the first network node; wherein,
  • the first information represents the security capabilities of all network nodes in the corresponding AS; the second information represents the security capabilities of the corresponding network nodes.
  • the device further comprises:
  • the second disassembling unit is configured to disassemble the received first information to obtain second information corresponding to each network node in the first AS and/or at least one second AS.
  • the first information is carried in a prefix of a BGP-LS protocol and transmitted; and/or the second information is carried in a node of a BGP-LS protocol and transmitted.
  • the device further comprises:
  • the fourth sending unit is used to send the first path strategy to the second controller; wherein,
  • the second controller represents the head node of the SRv6 tunnel; the first path strategy is generated based on second information corresponding to each network node in the first AS and/or at least one second AS.
  • the device further comprises:
  • a fifth sending unit configured to send second information corresponding to each network node in the first AS and/or at least one second AS to a third controller, wherein the third controller is an upper-layer controller of the first controller;
  • the fifth receiving unit is configured to receive the first path strategy sent by the third controller.
  • the second receiving unit 801, the third receiving unit 802, the fourth sending unit, the fifth sending unit and the fifth receiving unit can be implemented by the communication interface in the information transmission device;
  • the second disassembling unit can be implemented by the processor in the information transmission device.
  • the information transmission device provided in the above embodiment performs information transmission
  • only the division of the above program modules is used as an example for explanation.
  • the above processing can be assigned to different program modules as needed.
  • the internal structure of the device is divided into different program modules to complete all or part of the above-described processing.
  • the information transmission device and the information transmission method embodiment provided in the above embodiment belong to the same concept, and the specific implementation process is detailed in the method embodiment, which will not be repeated here.
  • the embodiment of the present application further provides a first network node, which is located in the first AS.
  • the first network node 900 includes:
  • the first communication interface 901 is capable of exchanging information with other network nodes;
  • the first processor 902 is connected to the first communication interface 901 to implement information exchange with other network nodes, and is used to execute the method provided by one or more technical solutions of the first network node side when running a computer program.
  • the computer program is stored in the first memory 903.
  • the first communication interface 901 is used to receive first information corresponding to the second AS sent by a second network node in the second AS; or to send first information corresponding to the first AS to the second network node; wherein,
  • the first information represents the security capabilities of all network nodes in the corresponding AS.
  • the first information is carried in a prefix prefix of a Border Gateway Protocol Link State BGP-LS protocol for transmission.
  • the first processor 902 is configured to disassemble the first information corresponding to the second AS to obtain the second information corresponding to each network node in the second AS; wherein
  • the second information represents the security capability of the corresponding network node.
  • the first communication interface 901 is further used to send second information corresponding to each network node in the first AS and/or the second AS to the first controller.
  • the first communication interface 901 is further used to send the first information to the first controller; wherein,
  • the first information is used by the first controller to disassemble and obtain second information corresponding to each network node in the second AS; the second information represents the security capability of the corresponding network node.
  • the first communication interface 901 is further used to receive second information uploaded by other network nodes in the first AS; wherein,
  • the second information represents the security capabilities of other network nodes.
  • the second information is carried in a node of the BGP-LS protocol for transmission.
  • the various components in the first network node 900 are coupled together via the bus system 904. It is understood that the bus system 904 is used to realize the connection and communication between these components.
  • the bus system 904 also includes a power bus, a control bus and a status signal bus.
  • various buses are labeled as the bus system 904 in FIG. 9.
  • the first memory 903 in the embodiment of the present application is used to store various types of data to support the operation of the first network node 900.
  • Examples of such data include: any computer program used to operate on the first network node 900.
  • the method disclosed in the above embodiment of the present application can be applied to the first processor 902, or implemented by the first processor 902.
  • the first processor 902 may be an integrated circuit chip with signal processing capabilities. In the implementation process, each step of the above method can be completed by the hardware integrated logic circuit or software instructions in the first processor 902.
  • the above first processor 902 may be a general processor, a digital signal processor (DSP, Digital Signal Processor), or other programmable logic devices, discrete gates or transistor logic devices, discrete hardware components, etc.
  • the first processor 902 can implement or execute the various methods, steps and logic block diagrams disclosed in the embodiments of the present application.
  • the general processor may be a microprocessor or any conventional processor, etc.
  • the steps of the method disclosed in the embodiment of the present application can be directly embodied as being executed by a hardware decoding processor, or being executed by a combination of hardware and software modules in the decoding processor.
  • the software module may be located in a storage medium, which is located in the first memory 903.
  • the first processor 902 reads the information in the first memory 903 and completes the steps of the above method in combination with its hardware.
  • the first network node 900 can be implemented by one or more application specific integrated circuits (ASIC), DSP, programmable logic device (PLD), complex programmable logic device (CPLD), field programmable gate array (FPGA), general processor, controller, microcontroller (MCU), microprocessor, or other electronic components to execute the aforementioned method.
  • ASIC application specific integrated circuits
  • DSP digital signal processor
  • PLD programmable logic device
  • CPLD complex programmable logic device
  • FPGA field programmable gate array
  • general processor controller, microcontroller (MCU), microprocessor, or other electronic components to execute the aforementioned method.
  • MCU microcontroller
  • the embodiment of the present application further provides a first controller, which is directly connected to the first network node in the first AS; as shown in FIG. 10, the first controller 1000 includes:
  • the second communication interface 1001 is capable of exchanging information with other network nodes;
  • the second processor 1002 is connected to the second communication interface 1001 to implement information exchange with other network nodes, and is used to execute the method provided by one or more technical solutions of the first controller side when running a computer program.
  • the computer program is stored in the second memory 1003.
  • the second communication interface 1001 is used to receive first information of the first AS and/or at least one second AS sent by the first network node; and/or, to receive second information corresponding to each network node in the first AS and/or at least one second AS sent by the first network node; wherein,
  • the first information represents the security capabilities of all network nodes in the corresponding AS; the second information represents the security capabilities of the corresponding network nodes.
  • the second processor 1002 is used to disassemble the received first information to obtain second information corresponding to each network node in the first AS and/or at least one second AS.
  • the first information is carried in a prefix of a BGP-LS protocol and transmitted; and/or the second information is carried in a node of a BGP-LS protocol and transmitted.
  • the second communication interface 1001 is further used to send the first path strategy to the second controller; wherein,
  • the second controller represents the head node of the SRv6 tunnel; the first path strategy is generated based on second information corresponding to each network node in the first AS and/or at least one second AS.
  • the second communication interface 1001 is further used to send second information corresponding to each network node in the first AS and/or at least one second AS to a third controller, wherein the third controller is an upper controller of the first controller;
  • the various components in the first controller 1000 are coupled together through the bus system 1004. It can be understood that the bus system 1004 is used to realize the connection and communication between these components.
  • the bus system 1004 also includes a power bus, a control bus and a status signal bus. However, for the sake of clarity, various buses are marked as the bus system 1004 in FIG. 10.
  • the second memory 1003 in the embodiment of the present application is used to store various types of data to support the operation of the first controller 1000. Examples of such data include: any computer program used to operate on the first controller 1000.
  • the method disclosed in the above embodiment of the present application can be applied to the second processor 1002, or implemented by the second processor 1002.
  • the second processor 1002 may be an integrated circuit chip with signal processing capabilities. In the implementation process, each step of the above method can be completed by the hardware integrated logic circuit or software instructions in the second processor 1002.
  • the above-mentioned second processor 1002 may be a general-purpose processor, DSP, or other programmable logic devices, discrete gates or transistor logic devices, discrete hardware components, etc.
  • the second processor 1002 can implement or execute the various methods, steps and logic block diagrams disclosed in the embodiments of the present application.
  • a general-purpose processor may be a microprocessor or any conventional processor, etc.
  • the decoding processor In combination with the steps of the method disclosed in the embodiment of the present application, it can be directly embodied as a hardware decoding processor to execute, or it can be executed by a combination of hardware and software modules in the decoding processor.
  • the software module can be located in a storage medium, which is located in the second memory 1003.
  • the second processor 1002 reads the information in the second memory 1003 and completes the steps of the above method in combination with its hardware.
  • the first controller 1000 may be implemented by one or more ASICs, DSPs, PLDs, CPLDs, FPGAs, general purpose processors, controllers, MCUs, Microprocessors, or other electronic components to perform the aforementioned methods.
  • the memory (first memory 903, second memory 1003) of the embodiment of the present application can be a volatile memory or a non-volatile memory, and can also include both volatile and non-volatile memories.
  • the non-volatile memory can be a read-only memory (ROM), a programmable read-only memory (PROM), an erasable programmable read-only memory (EPROM), an electrically erasable programmable read-only memory (EEPROM), a magnetic random access memory (FRAM), a flash memory, a magnetic surface memory, an optical disc, or a compact disc read-only memory (CD-ROM);
  • the magnetic surface memory can be a disk memory or a tape memory.
  • the volatile memory can be a random access memory (RAM), which is used as an external cache.
  • RAM random access memory
  • RAM random access memory
  • SRAM static random access memory
  • SSRAM synchronous static random access memory
  • DRAM dynamic random access memory
  • SDRAM synchronous dynamic random access memory
  • DDRSDRAM double data rate synchronous dynamic random access memory
  • ESDRAM enhanced synchronous dynamic random access memory
  • SLDRAM synchronous link dynamic random access memory
  • DRRAM direct memory bus random access memory
  • the memory described in the embodiments of the present application is intended to include, but is not limited to, these and any other suitable types of memory.
  • the embodiment of the present application further provides a storage medium, namely a computer storage medium, specifically a computer-readable storage medium, for example, including a first memory 903 storing a computer program, and the above-mentioned computer program can be executed by the first processor 902 of the first network node 900 to complete the steps described in the aforementioned first network node side method.
  • a storage medium namely a computer storage medium, specifically a computer-readable storage medium, for example, including a first memory 903 storing a computer program, and the above-mentioned computer program can be executed by the first processor 902 of the first network node 900 to complete the steps described in the aforementioned first network node side method.
  • the above-mentioned computer program can be executed by the second processor 1002 of the first controller 1000 to complete the steps described in the aforementioned first controller side method.
  • the computer-readable storage medium can be a memory such as FRAM, ROM, PROM, EPROM, EEPROM, Flash Memory, magnetic surface storage, optical
  • a and/or B can represent the three situations that A exists alone, A and B exist at the same time, and B exists alone.
  • at least one herein represents any combination of at least two of any one or more of a plurality of.
  • including at least one of A, B, and C can represent including any one or more elements selected from the set consisting of A, B, and C.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本申请公开了一种信息传输方法、装置、网络节点及存储介质,其中,方法包括:第一AS中的第一网络节点接收第二AS中的第二网络节点发出的第二AS对应的第一信息;或者,向所述第二网络节点发出所述第一AS对应的第一信息;其中,第一信息表征对应的AS中所有网络节点的安全能力。

Description

信息传输方法、装置、网络节点及存储介质
相关申请的交叉引用
本申请基于申请号为202211370803.7、申请日为2022年11月03日的中国专利申请提出,并要求该中国专利申请的优先权,该中国专利申请的全部内容在此引入本申请作为参考。
技术领域
本申请涉及网络技术领域,尤其涉及一种信息传输方法、装置、网络节点及存储介质。
背景技术
随着网络安全事件的频发,用户对网络安全的需求越来越强烈,监管机构也对网络安全提出了相应的要求。然而,相关技术中,管理运营商在网络安全方面仅能保证基础网络的运行安全和路由可达,无法额外提供符合用户需求的安全路由能力。
发明内容
为解决相关技术问题,本申请实施例提供一种信息传输方法、装置、网络节点及存储介质。
本申请实施例的技术方案是这样实现的:
本申请实施例提供了一种信息传输方法,应用于第一自治系统(AS,Autonomous System)中的第一网络节点,所述方法包括:
接收第二AS中的第二网络节点发出的第二AS对应的第一信息;或者,
向所述第二网络节点发出所述第一AS对应的第一信息;其中,
第一信息表征对应的AS中所有网络节点的安全能力。
其中,在一实施例中,第一信息携带于边界网关协议链路状态(BGP-LS,Border Gateway Protocol-Link State)协议的前缀(prefix)中传输。
在一实施例中,所述方法还包括:
拆解所述第二AS对应的第一信息,得到所述第二AS中每个网络节点对应的第二信息;其中,
第二信息表征对应的网络节点的安全能力。
在一实施例中,所述方法还包括:
向第一控制器发送所述第一AS和/或所述第二AS中每个网络节点对应的第二信息。
在一实施例中,所述方法还包括:
将所述第一信息发送至第一控制器;其中,
所述第一信息用于所述第一控制器拆解得到所述第二AS中每个网络节点对应的第二信息;第二信息表征对应的网络节点的安全能力。
在一实施例中,所述方法还包括:
接收所述第一AS中的其他网络节点上传的第二信息;其中,
第二信息表征其他网络节点的安全能力。
在一实施例中,第二信息携带于BGP-LS协议的节点(node)中传输。
本申请实施例还提供了一种信息传输方法,应用于第一控制器;所述第一控制器与第一AS中的第一网络节点直连;所述方法包括:
接收所述第一网络节点发送的所述第一AS和/或至少一个第二AS的第一信息;和/或,
接收所述第一网络节点发送的所述第一AS和/或至少一个第二AS中每个网络节点对应的第二信息;其中,
第一信息表征对应的AS中所有网络节点的安全能力;第二信息表征对应的网络节点的安全能力。
其中,在一实施例中,所述方法还包括:
基于接收到的第一信息,拆解得到所述第一AS和/或至少一个第二AS中每个网络节点对应的第二信息。
在一实施例中,第一信息携带于BGP-LS协议的prefix中传输;和/或,第二信息携带于BGP-LS协议的node中传输。
在一实施例中,所述方法还包括:
向第二控制器下发第一路径策略;其中,
所述第二控制器表征基于IPv6的段路由(SRv6,Segment Routing IPv6)隧道的头节点;所述第一路径策略基于所述第一AS和/或至少一个第二AS中每个网络节点对应的第二信息生成。
在一实施例中,所述方法还包括:
向第三控制器发送的所述第一AS和/或至少一个第二AS中每个网络节点对应的第二信息,其中,第三控制器是第一控制器的上层控制器;
接收所述第三控制器下发的所述第一路径策略。
本申请实施例还提供了一种信息传输装置,包括:
第一接收单元,用于接收第二AS中的第二网络节点发出的第二AS对应的第一信息;或者,
第一发送单元,用于向所述第二网络节点发出第一AS对应的第一信息;其中,
第一信息表征对应的AS中所有网络节点的安全能力。
本申请实施例还提供了一种信息传输装置,包括:
第二接收单元,用于接收第一网络节点发送的第一AS和/或至少一个第二AS的第一信息;和/或,
第三接收单元,用于接收所述第一网络节点发送的所述第一AS和/或至少一个第二AS中每个网络节点对应的第二信息;其中,
第一信息表征对应的AS中所有网络节点的安全能力;第二信息表征对应的网络节点的安全能力。
本申请实施例还提供了一种第一网络节点,所述第一网络节点位于第一AS中,包括:第一通信接口;其中,
所述第一通信接口,用于接收第二AS中的第二网络节点发出的第二AS对应的第一信息;或者,用于向所述第二网络节点发出所述第一AS对应的第一信息;其中,
第一信息表征对应的AS中所有网络节点的安全能力。
本申请实施例还提供了一种第一控制器,所述第一控制器与第一AS中的第一网络节点直连,包括:第二通信接口;其中,
所述第二通信接口,用于接收所述第一网络节点发送的所述第一AS和/或至少一个第二AS的第一信息;和/或,用于接收所述第一网络节点发送的所述第一AS和/或至少一个第二AS中每个网络节点对应的第二信息;其中,
第一信息表征对应的AS中所有网络节点的安全能力;第二信息表征对应的网络节点的安全能力。
本申请实施例还提供了一种第一网络节点,包括:处理器和用于存储能够在处理器上运行的计算机程序的存储器,
其中,所述处理器用于运行所述计算机程序时,执行上述第一网络节点侧任一方法的步骤。
本申请实施例还提供了一种第一控制器,包括:处理器和用于存储能够在处理器上运行的计算机程序的存储器,
其中,所述处理器用于运行所述计算机程序时,执行上述第一控制器侧任一方法的步骤。
本申请实施例还提供了一种存储介质,其上存储有计算机程序,所述计算机程序被处理器执行时实现上述第一网络节点侧任一方法的步骤,或者实现上述第一控制器侧任一方法的步骤。
本申请实施例提供的信息传输方法、装置、网络节点及存储介质中,第一AS中的第一网络节点接收第二AS中的第二网络节点发出的第二AS对应的第一信息;或者,第一AS中的第一网络节点向所述第二网络节点发出第一AS对应的第一信息;其中,第一信息表征对应的AS中所有网络节点的安全能力,这样,通过多个AS中的任意一个AS中的一个网络节点,可以实现对多个AS中的所有网络节点的安全能力的跨域收集,并将跨域收集到的安全能力相关信息上报给AS的上层控制器,基于此,上层控制器可以制定出具备安全路由能力的路径策略,满足了网络安全方面的需求。
附图说明
图1为本申请实施例一种信息传输方法适用的网络结构示意图;
图2为本申请实施例一种信息传输方法的实现流程示意图;
图3为本申请实施例一种信息拆解方法实现原理示意图;
图4为本申请实施例另一种信息拆解方法实现原理示意图;
图5为本申请实施例另一种信息传输方法的实现流程示意图;
图6为本申请实施例路径策略下发示意图;
图7为本申请实施例一种信息传输装置结构示意图;
图8为本申请实施例另一种信息传输装置结构示意图;
图9为本申请实施例一种第一网络节点结构示意图;
图10为本申请实施例一种第一控制器结构示意图。
具体实施方式
随着网络安全事件的频发,用户对网络安全的需求越来越强烈,监管机构也对网络安全提出了相应的要求。然而,相关技术中,管理运营商在网络安全方面仅能保证基础网络的运行安全和路由可达,无法额外提供符合用户需求的安全路由能力。
基于此,本申请的各实施例中,第一AS中的第一网络节点接收第二AS中的第二网络节点发出的第二AS对应的第一信息;或者,第一AS中的第一网络节点向所述第二网络节点发出第一AS对应的第一信息;其中,第一信息表征对应的AS中所有网络节点的安全能力,这样,通过多个AS中的任意一个AS中的一个网络节点,可以实现对多个AS中的所 有网络节点的安全能力的跨域收集,并将跨域收集到的安全能力相关信息上报给AS的上层控制器,基于此,上层控制器可以制定出具备安全路由能力的路径策略,满足了网络安全方面的需求。
下面结合附图及实施例对本申请再作进一步详细的描述。
首先,图1示出了本申请实施例信息传输方法适用的网络结构示意图,
参见图1,网络节点A、B、C隶属于AS 100,网络节点D、E、F、G隶属于AS 200,在每个AS中均配置有至少一个作为超级节点的网络节点,例如AS 100中的网络节点A和AS 200中的网络节点E,负责收集所属AS中其他网络节点的安全能力。实际应用时,每个超级节点可以理解为路由器,与超级节点同属一个AS中的其他网络节点可以理解为路由器下挂的其他网络设备。在实际应用中,除了AS 100和AS 200之外,可能还存在其他的AS。
进一步地,在每个AS中,只有超级节点可以具备与AS所属的控制器通信的能力,用于将收集到的安全能力上报对应的控制器;或者,超级节点可以具备跨域通信的能力,用于将收集到的安全能力跨域传输给其他AS中的超级节点。而每个AS中的其他网络节点不与AS所属的控制器直接连接,也无法实现跨域通信,需要将表征各自安全能力的信息传输给本AS中的超级节点。
例如,场景一中,网络节点A与控制器Alice连接并通信,网络节点A负责收集AS 100中网络节点B、C的安全能力,并将收集到的安全能力上报给控制器Alice,网络节点B、C与控制器Alice之间不支持直接通信;网络节点E与控制器Bob连接并通信,网络节点E负责收集AS 200中网络节点D、F、G的安全能力,并将收集到的安全能力上报给控制器Bob,网络节点D、F、G与控制器Bob之间不支持直接通信。
场景二中,网络节点A与控制器Alice连接并通信,网络节点A负责收集AS 100中网络节点B、C的安全能力,并将收集到的安全能力上报给控制器Alice,网络节点B、C与控制器Alice之间不支持直接通信;AS 200同时也隶属于控制器Alice,但网络节点E不与控制器Alice连接,而是负责收集AS 200中网络节点D、F、G的安全能力,并将收集到的安全能力跨域传输给网络节点A,再由网络节点A将AS 200中网络节点的安全能力上报给控制器Alice,网络节点D、F、G与控制器Bob之间不支持直接通信。
上述场景中,由控制器Alice和/或控制器Bob根据收集到的网络节点的安全能力,生成路径策略,这样,生成的路径策略具备安全路由能力,能够满足网络安全方面的需求。
进一步地,场景三中,在控制器Alice和控制器Bob上层配置更高一级的控制器Admin,负责收集AS 100和AS 200全域的网络节点的安全能力。这样,由控制器Admin基于收集到的网络节点的安全能力生成路径策略。
实际应用时,可以采用BGP-LS协议来实现安全能力的传输。BGP-LS协议作为对BGP的扩展,可用于收集网络拓扑相关信息。相关技术中,利用BGP的选路能力和算路能力,通过三种BGP-LS路由来分别携带节点、链路和路由前缀,从而将内部网关协议(IGP,Interior Gateway Protocol)发现的拓扑信息汇总后上传给上层网络节点。上述三种BGP-LS路由相互配合,共同完成拓扑信息的传输,其中,节点路由用于记录拓扑的节点信息,链路路由用于记录两台设备之间的链路信息,地址前缀路由用于记录节点可达的网段信息。
BGP-LS协议收集的网络拓扑相关信息作为网络层可达信息(NLRI,Network Layer Reachability Information),使用三元组(TLV,Type-Length-Value)格式进行描述。在本申请实施例中,对BGP-LS进行协议扩展,使得基于BGP-LS协议传输的信息能够携带网络节点的安全能力。
具体地,通过在BGP-LS协议的prefix中增加新的属性,以实现网络节点的安全能力的传输。示例性地,在prefix中增加“AS security capabilities”字段,字段长度可变,通过将不同网络节点的表征安全能力的信息进行拼接,得到该字段的字段值。例如,字段值可以为{[网络节点A的IP地址+节点安全能力],[网络节点B的IP地址(B)+节点安全能力]……}。
这样,基于BGP-LS,同一AS内的网络节点可以将自身的安全能力上传给该AS中的超级节点,超级节点可以将收集到的安全能力上报给该AS所属的控制器,或者将收集到的安全能力传输给其他AS中的超级节点,此外,控制器也可以基于BGP-LS,针对接收到的安全能力进行进一步处理,或者将接收到的安全能力转发给其他控制器进行进一步处理。
接下来,分别以AS中的超级节点以及AS直属的控制器为执行主体,对本申请实施例方案进行进一步说明。
本申请实施例提供了一种信息传输方法,应用于第一AS中的第一网络节点,这里,第一网络节点可以理解为第一AS中的超级节点。如图2所示,该方法包括:
步骤201:接收第二AS中的第二网络节点发出的第二AS对应的第一信息;或者,向所述第二网络节点发出所述第一AS对应的第一信息。
其中,第一信息表征对应的AS中所有网络节点的安全能力。
这里,作为第一AS中的超级节点,第一网络节点负责收集第一AS中的所有网络节点的安全能力。
在一实施例中,所述方法还包括:
接收所述第一AS中的第一控制器上传的第二信息;其中,
第二信息表征对应的网络节点的安全能力。
这里,第一控制器可以理解为第一AS中除第一网络节点之外的其他网络节点。实际应 用时,第二信息携带于BGP-LS协议的node中传输。
结合上文场景二,第一网络节点可以将收集到的安全能力跨域发送至第二网络节点,其中,第二网络节点为第二AS中的超级节点;或者,第一网络节点可以接收第二网络节点跨域发送的第二AS中所有网络节点的安全能力。
在一实施例中,第一信息携带于BGP-LS协议的prefix中传输。
示例性地,在prefix中增加字段,字段长度可变,通过将不同网络节点的表征安全能力的信息进行拼接,得到该字段的字段值。
在一实施例中,在第一网络节点接收第二网络节点发出的第二AS对应的第一信息的情况下,所述方法还包括:
拆解所述第二AS对应的第一信息,得到所述第二AS中每个网络节点对应的第二信息。
其中,第二信息表征对应的网络节点的安全能力。
如前文所述,通过将一个AS中所有网络节点的表征安全能力的信息进行拼接,得到该AS对应的第一信息,因此,这里,第一网络节点在接收到第二网络节点发出的第二AS对应的第一信息之后,需要对第一信息进行拆解,以分别得到每个网络节点的安全能力。
进一步地,在一实施例中,所述方法还包括:
向第一控制器发送所述第一AS和/或所述第二AS中每个网络节点对应的第二信息。
这里,第一控制器为第一网络节点直连的控制器,即第一AS所属的控制器。第一网络节点向第一控制器发送第一AS中每个网络节点对应的安全能力,和/或,第一网络节点将第二AS对应的第一信息拆解后,得到第二AS中每个网络节点对应的安全能力,并向第一控制器发送第二AS中每个网络节点对应的安全能力。
结合图3,网络节点A具备第一信息的拆解能力,将一个AS的全域网络节点的安全能力传送至网络节点A,网络节点A拆解得到该AS中每个网络节点的安全能力,并将拆解后的安全能力发送至控制器Alice。
在一实施例中,所述方法还包括:
将所述第一信息发送至第一控制器。
其中,所述第一信息用于所述第一控制器拆解得到所述第二AS中每个网络节点对应的第二信息;第二信息表征对应的网络节点的安全能力。
这里,第一网络节点直连的第一控制器具备第一信息的拆解能力,第一网络节点将第一信息发送至第一控制器,由第一控制器拆解得到AS中每个网络节点的安全能力。
结合图4,控制器Alice具备第一信息的拆解能力,网络节点A接收到一个AS的全域网络节点的安全能力后,直接将该AS的全域网络节点的安全能力传送至控制器Alice,控制 器Alice拆解得到该AS中每个网络节点的安全能力。
本申请实施例提供了一种信息传输方法,应用于第一AS所属的第一控制器,所述第一控制器与第一AS中的第一网络节点直连。如图5所示,该方法包括:
步骤501:接收所述第一网络节点发送的所述第一AS和/或至少一个第二AS的第一信息;和/或,接收所述第一网络节点发送的所述第一AS和/或至少一个第二AS中每个网络节点对应的第二信息。
其中,第一信息表征对应的AS中所有网络节点的安全能力;第二信息表征对应的网络节点的安全能力。
实际应用时,在第一控制器支持第一信息的拆解能力的情况下,第一网络节点将第一信息发送至第一控制器,由第一控制器拆解得到AS中每个网络节点的安全能力。基于此,在一实施例中,所述方法还包括:
基于接收到的第一信息,拆解得到所述第一AS和/或至少一个第二AS中每个网络节点对应的第二信息。
在第一网络节点支持第一信息的拆解能力的情况下,第一网络节点向第一控制器发送第一AS中每个网络节点对应的安全能力,和/或,第一网络节点将第二AS对应的第一信息拆解后,得到第二AS中每个网络节点对应的安全能力,并向第一控制器发送第二AS中每个网络节点对应的安全能力。
在一实施例中,第一信息携带于BGP-LS协议的prefix中传输;和/或,第二信息携带于BGP-LS协议的node中传输。
在基于SRv6实现的路径策略中,由控制器负责生成路径策略。在本申请实施例中,控制器基于收集到的网络节点的安全能力生成路径策略,从而可以制定出具备安全路由能力的路径策略。实际应用时,如图6所示,可以由AS所属的控制器将生成的路径策略直接下发至SRv6隧道的头节点;或者,也可以由上层控制器生成路径策略,并将生成的路径策略下发至AS所属的控制器,再由AS所属的控制器将路径策略下发至SRv6隧道的头节点;或者,也可以由上层控制器生成路径策略,并将生成的路径策略直接下发至SRv6隧道的头节点。
基于此,对于第一网络节点直连的第一控制器来说,在一实施例中,所述方法还包括:
向第二控制器下发第一路径策略。
其中,所述第二控制器表征SRv6隧道的头节点;所述第一路径策略基于所述第一AS和/或至少一个第二AS中每个网络节点对应的第二信息生成。
在本实施例中,对应的是路径策略由AS所属的控制器下发至SRv6隧道的头节点的情况。其中,路径策略可以是AS所属的控制器生成的,也可以是AS所属的控制器的上层控 制器生成,并由上层控制器下发至AS所属的控制器的。
对于路径策略是由AS所属的控制器的上层控制器生成的情况,在一实施例中,所述方法还包括:
向第三控制器发送的所述第一AS和/或至少一个第二AS中每个网络节点对应的第二信息;
接收所述第三控制器下发的所述第一路径策略。
本申请实施例中,通过对BGP-LS协议进行扩展,使得基于BGP-LS协议传输的信息中能够携带AS中所有网络节点的安全能力相关信息,该信息由AS中的超级节点进行收集,并且,收集得到的信息可以实现跨域传输。在信息上传过程中,由超级节点或者控制器进行拆解,得到AS中每个网络节点的安全能力,由此,生成具备路由安全能力的路径策略,满足了网络安全方面的需求。
为了实现本申请实施例第一网络节点侧的信息传输方法,本申请实施例还提供了一种信息传输装置,设置在第一网络节点上,如图7所示,该装置包括:
第一接收单元701,用于接收第二AS中的第二网络节点发出的第二AS对应的第一信息;或者,
第一发送单元702,用于向所述第二网络节点发出所述第一AS对应的第一信息;其中,
第一信息表征对应的AS中所有网络节点的安全能力。
在一实施例中,第一信息携带于BGP-LS协议的prefix中传输。
在一实施例中,所述装置还包括:
第一拆解单元,用于拆解所述第二AS对应的第一信息,得到所述第二AS中每个网络节点对应的第二信息;其中,
第二信息表征对应的网络节点的安全能力。
在一实施例中,所述装置还包括:
第二发送单元,用于向第一控制器发送所述第一AS和/或所述第二AS中每个网络节点对应的第二信息。
在一实施例中,所述装置还包括:
第三发送单元,用于将所述第一信息发送至第一控制器;其中,
所述第一信息用于所述第一控制器拆解得到所述第二AS中每个网络节点对应的第二信息;第二信息表征对应的网络节点的安全能力。
在一实施例中,所述装置还包括:
第四接收单元,用于接收所述第一AS中的第一控制器上传的第二信息;其中,
第二信息表征对应的网络节点的安全能力。
在一实施例中,第二信息携带于BGP-LS协议的节点node中传输。
实际应用时,第一接收单元701、第一发送单元702、第二发送单元、第三发送单元和第四接收单元可由信息传输装置中的通信接口实现;第一拆解单元可由信息传输装置中的处理器实现。
为了实现本申请实施例第一控制器侧的信息传输方法,本申请实施例还提供了一种信息传输装置,设置在第一控制器上,如图8所示,该装置包括:
第二接收单元801,用于接收所述第一网络节点发送的所述第一AS和/或至少一个第二AS的第一信息;和/或,
第三接收单元802,用于接收所述第一网络节点发送的所述第一AS和/或至少一个第二AS中每个网络节点对应的第二信息;其中,
第一信息表征对应的AS中所有网络节点的安全能力;第二信息表征对应的网络节点的安全能力。
其中,在一实施例中,所述装置还包括:
第二拆解单元,用于基于接收到的第一信息,拆解得到所述第一AS和/或至少一个第二AS中每个网络节点对应的第二信息。
在一实施例中,第一信息携带于BGP-LS协议的prefix中传输;和/或,第二信息携带于BGP-LS协议的node中传输。
在一实施例中,所述装置还包括:
第四发送单元,用于向第二控制器下发第一路径策略;其中,
所述第二控制器表征SRv6隧道的头节点;所述第一路径策略基于所述第一AS和/或至少一个第二AS中每个网络节点对应的第二信息生成。
在一实施例中,所述装置还包括:
第五发送单元,用于向第三控制器发送的所述第一AS和/或至少一个第二AS中每个网络节点对应的第二信息,其中,第三控制器是第一控制器的上层控制器;
第五接收单元,用于接收所述第三控制器下发的所述第一路径策略。
实际应用时,第二接收单元801、第三接收单元802、第四发送单元、第五发送单元和第五接收单元可由信息传输装置中的通信接口实现;第二拆解单元可由信息传输装置中的处理器实现。
需要说明的是:上述实施例提供的信息传输装置在进行信息传输时,仅以上述各程序模块的划分进行举例说明,实际应用中,可以根据需要而将上述处理分配由不同的程序模块完 成,即将装置的内部结构划分成不同的程序模块,以完成以上描述的全部或者部分处理。另外,上述实施例提供的信息传输装置与信息传输方法实施例属于同一构思,其具体实现过程详见方法实施例,这里不再赘述。
基于上述程序模块的硬件实现,且为了实现本申请实施例第一网络节点侧的方法,本申请实施例还提供了一种第一网络节点,位于第一AS中,如图9所示,第一网络节点900包括:
第一通信接口901,能够与其他网络节点进行信息交互;
第一处理器902,与所述第一通信接口901连接,以实现与其他网络节点进行信息交互,用于运行计算机程序时,执行上述第一网络节点侧一个或多个技术方案提供的方法。而所述计算机程序存储在第一存储器903上。
具体地,所述第一通信接口901,用于接收第二AS中的第二网络节点发出的第二AS对应的第一信息;或者,用于向所述第二网络节点发出所述第一AS对应的第一信息;其中,
第一信息表征对应的AS中所有网络节点的安全能力。
其中,在一实施例中,第一信息携带于边界网关协议链路状态BGP-LS协议的前缀prefix中传输。
在一实施例中,所述第一处理器902,用于拆解所述第二AS对应的第一信息,得到所述第二AS中每个网络节点对应的第二信息;其中,
第二信息表征对应的网络节点的安全能力。
在一实施例中,所述第一通信接口901,还用于向第一控制器发送所述第一AS和/或所述第二AS中每个网络节点对应的第二信息。
在一实施例中,所述第一通信接口901,还用于将所述第一信息发送至第一控制器;其中,
所述第一信息用于所述第一控制器拆解得到所述第二AS中每个网络节点对应的第二信息;第二信息表征对应的网络节点的安全能力。
在一实施例中,所述第一通信接口901,还用于接收所述第一AS中的其他网络节点上传的第二信息;其中,
第二信息表征其他网络节点的安全能力。
在一实施例中,第二信息携带于BGP-LS协议的node中传输。
需要说明的是:第一处理器902和第一通信接口901的具体处理过程可参照上述方法理解。
当然,实际应用时,第一网络节点900中的各个组件通过总线系统904耦合在一起。可 理解,总线系统904用于实现这些组件之间的连接通信。总线系统904除包括数据总线之外,还包括电源总线、控制总线和状态信号总线。但是为了清楚说明起见,在图9中将各种总线都标为总线系统904。
本申请实施例中的第一存储器903用于存储各种类型的数据以支持第一网络节点900的操作。这些数据的示例包括:用于在第一网络节点900上操作的任何计算机程序。
上述本申请实施例揭示的方法可以应用于所述第一处理器902中,或者由所述第一处理器902实现。所述第一处理器902可能是一种集成电路芯片,具有信号的处理能力。在实现过程中,上述方法的各步骤可以通过所述第一处理器902中的硬件的集成逻辑电路或者软件形式的指令完成。上述的所述第一处理器902可以是通用处理器、数字信号处理器(DSP,Digital Signal Processor),或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。所述第一处理器902可以实现或者执行本申请实施例中的公开的各方法、步骤及逻辑框图。通用处理器可以是微处理器或者任何常规的处理器等。结合本申请实施例所公开的方法的步骤,可以直接体现为硬件译码处理器执行完成,或者用译码处理器中的硬件及软件模块组合执行完成。软件模块可以位于存储介质中,该存储介质位于第一存储器903,所述第一处理器902读取第一存储器903中的信息,结合其硬件完成前述方法的步骤。
在示例性实施例中,第一网络节点900可以被一个或多个应用专用集成电路(ASIC,Application Specific Integrated Circuit)、DSP、可编程逻辑器件(PLD,Programmable Logic Device)、复杂可编程逻辑器件(CPLD,Complex Programmable Logic Device)、现场可编程门阵列(FPGA,Field-Programmable Gate Array)、通用处理器、控制器、微控制器(MCU,Micro Controller Unit)、微处理器(Microprocessor)、或者其他电子元件实现,用于执行前述方法。
基于上述程序模块的硬件实现,且为了实现本申请实施例第一控制器侧的方法,本申请实施例还提供了一种第一控制器,所述第一控制器与第一AS中的第一网络节点直连;如图10所示,该第一控制器1000包括:
第二通信接口1001,能够与其他网络节点进行信息交互;
第二处理器1002,与所述第二通信接口1001连接,以实现与其他网络节点进行信息交互,用于运行计算机程序时,执行上述第一控制器侧一个或多个技术方案提供的方法。而所述计算机程序存储在第二存储器1003上。
具体地,所述第二通信接口1001,用于接收所述第一网络节点发送的所述第一AS和/或至少一个第二AS的第一信息;和/或,用于接收所述第一网络节点发送的所述第一AS和/或至少一个第二AS中每个网络节点对应的第二信息;其中,
第一信息表征对应的AS中所有网络节点的安全能力;第二信息表征对应的网络节点的安全能力。
其中,在一实施例中,所述第二处理器1002,用于基于接收到的第一信息,拆解得到所述第一AS和/或至少一个第二AS中每个网络节点对应的第二信息。
在一实施例中,第一信息携带于BGP-LS协议的prefix中传输;和/或,第二信息携带于BGP-LS协议的node中传输。
在一实施例中,所述第二通信接口1001,还用于向第二控制器下发第一路径策略;其中,
所述第二控制器表征SRv6隧道的头节点;所述第一路径策略基于所述第一AS和/或至少一个第二AS中每个网络节点对应的第二信息生成。
在一实施例中,所述第二通信接口1001,还用于向第三控制器发送的所述第一AS和/或至少一个第二AS中每个网络节点对应的第二信息,其中,第三控制器是第一控制器的上层控制器;
接收所述第三控制下发的所述第一路径策略。
需要说明的是:第二处理器1002和第二通信接口1001的具体处理过程可参照上述方法理解。
当然,实际应用时,第一控制器1000中的各个组件通过总线系统1004耦合在一起。可理解,总线系统1004用于实现这些组件之间的连接通信。总线系统1004除包括数据总线之外,还包括电源总线、控制总线和状态信号总线。但是为了清楚说明起见,在图10中将各种总线都标为总线系统1004。
本申请实施例中的第二存储器1003用于存储各种类型的数据以支持第一控制器1000操作。这些数据的示例包括:用于在第一控制器1000上操作的任何计算机程序。
上述本申请实施例揭示的方法可以应用于所述第二处理器1002中,或者由所述第二处理器1002实现。所述第二处理器1002可能是一种集成电路芯片,具有信号的处理能力。在实现过程中,上述方法的各步骤可以通过所述第二处理器1002中的硬件的集成逻辑电路或者软件形式的指令完成。上述的所述第二处理器1002可以是通用处理器、DSP,或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。所述第二处理器1002可以实现或者执行本申请实施例中的公开的各方法、步骤及逻辑框图。通用处理器可以是微处理器或者任何常规的处理器等。结合本申请实施例所公开的方法的步骤,可以直接体现为硬件译码处理器执行完成,或者用译码处理器中的硬件及软件模块组合执行完成。软件模块可以位于存储介质中,该存储介质位于第二存储器1003,所述第二处理器1002读取第二存储器1003中的信息,结合其硬件完成前述方法的步骤。
在示例性实施例中,第一控制器1000可以被一个或多个ASIC、DSP、PLD、CPLD、FPGA、通用处理器、控制器、MCU、Microprocessor、或其他电子元件实现,用于执行前述方法。
可以理解,本申请实施例的存储器(第一存储器903、第二存储器1003)可以是易失性存储器或者非易失性存储器,也可包括易失性和非易失性存储器两者。其中,非易失性存储器可以是只读存储器(ROM,Read Only Memory)、可编程只读存储器(PROM,Programmable Read-Only Memory)、可擦除可编程只读存储器(EPROM,Erasable Programmable Read-Only Memory)、电可擦除可编程只读存储器(EEPROM,Electrically Erasable Programmable Read-Only Memory)、磁性随机存取存储器(FRAM,ferromagnetic random access memory)、快闪存储器(Flash Memory)、磁表面存储器、光盘、或只读光盘(CD-ROM,Compact Disc Read-Only Memory);磁表面存储器可以是磁盘存储器或磁带存储器。易失性存储器可以是随机存取存储器(RAM,Random Access Memory),其用作外部高速缓存。通过示例性但不是限制性说明,许多形式的RAM可用,例如静态随机存取存储器(SRAM,Static Random Access Memory)、同步静态随机存取存储器(SSRAM,Synchronous Static Random Access Memory)、动态随机存取存储器(DRAM,Dynamic Random Access Memory)、同步动态随机存取存储器(SDRAM,Synchronous Dynamic Random Access Memory)、双倍数据速率同步动态随机存取存储器(DDRSDRAM,Double Data Rate Synchronous Dynamic Random Access Memory)、增强型同步动态随机存取存储器(ESDRAM,Enhanced Synchronous Dynamic Random Access Memory)、同步连接动态随机存取存储器(SLDRAM,SyncLink Dynamic Random Access Memory)、直接内存总线随机存取存储器(DRRAM,Direct Rambus Random Access Memory)。本申请实施例描述的存储器旨在包括但不限于这些和任意其它适合类型的存储器。
在示例性实施例中,本申请实施例还提供了一种存储介质,即计算机存储介质,具体为计算机可读存储介质,例如包括存储计算机程序的第一存储器903,上述计算机程序可由第一网络节点900的第一处理器902执行,以完成前述第一网络节点侧方法所述步骤。再比如包括存储计算机程序的第二存储器1003,上述计算机程序可由第一控制器1000的第二处理器1002执行,以完成前述第一控制器侧方法所述步骤。计算机可读存储介质可以是FRAM、ROM、PROM、EPROM、EEPROM、Flash Memory、磁表面存储器、光盘、或CD-ROM等存储器。
需要说明的是:“第一”、“第二”等是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。
本文中术语“和/或”,仅仅是一种描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。另外,本文中术语“至少一种”表示多个中的任意一种或多种中的至少两种的任意组合,例如,包括A、B、C中的至少一种,可以表示包括从A、B和C构成的集合中选择的任意一个或多个元素。
另外,本申请实施例所记载的技术方案之间,在不冲突的情况下,可以任意组合。
以上所述,仅为本申请的较佳实施例而已,并非用于限定本申请的保护范围。

Claims (19)

  1. 一种信息传输方法,其特征在于,由第一自治系统AS中的第一网络节点执行,所述方法包括:
    接收第二AS中的第二网络节点发出的第二AS对应的第一信息;或者,
    向所述第二网络节点发出所述第一AS对应的第一信息;其中,
    所述第一信息表征对应的AS中所有网络节点的安全能力。
  2. 根据权利要求1所述的方法,其特征在于,第一信息携带于边界网关协议链路状态BGP-LS协议的前缀prefix中传输。
  3. 根据权利要求1所述的方法,其特征在于,所述方法还包括:
    拆解所述第二AS对应的第一信息,得到所述第二AS中每个网络节点对应的第二信息;其中,
    所述第二信息表征对应的网络节点的安全能力。
  4. 根据权利要求3所述的方法,其特征在于,所述方法还包括:
    向与所述第一网络节点直连的第一控制器发送所述第一AS和/或所述第二AS中每个网络节点对应的第二信息。
  5. 根据权利要求1所述的方法,其特征在于,所述方法还包括:
    将所述第一信息发送至与所述第一网络节点直连的第一控制器;其中,
    所述第一信息用于所述第一控制器拆解得到所述第二AS中每个网络节点对应的第二信息;所述第二信息表征对应的网络节点的安全能力。
  6. 根据权利要求1所述的方法,其特征在于,所述方法还包括:
    接收所述第一AS中的其他网络节点上传的第二信息;其中,
    第二信息表征其他网络节点的安全能力。
  7. 根据权利要求3至6任一项所述的方法,其特征在于,第二信息携带于BGP-LS协议的节点node中传输。
  8. 一种信息传输方法,其特征在于,由第一控制器执行;所述第一控制器与第一AS中的第一网络节点直连;所述方法包括:
    接收所述第一网络节点发送的所述第一AS和/或至少一个第二AS对应的第一信息;和/或,
    接收所述第一网络节点发送的所述第一AS和/或至少一个第二AS中每个网络节点对应的第二信息;其中,
    所述第一信息表征对应的AS中所有网络节点的安全能力;所述第二信息表征对应的网 络节点的安全能力。
  9. 根据权利要求8所述的方法,其特征在于,所述方法还包括:
    基于接收到的第一信息,拆解得到所述第一AS和/或至少一个第二AS中每个网络节点对应的第二信息。
  10. 根据权利要求8或9所述的方法,其特征在于,所述第一信息携带于BGP-LS协议的prefix中传输;和/或,所述第二信息携带于BGP-LS协议的node中传输。
  11. 根据权利要求8或9所述的方法,其特征在于,所述方法还包括:
    向第二控制器下发第一路径策略;其中,
    所述第二控制器表征基于IPv6的段路由SRv6隧道的头节点;所述第一路径策略基于所述第一AS和/或至少一个第二AS中每个网络节点对应的第二信息生成。
  12. 根据权利要求11所述的方法,其特征在于,所述方法还包括:
    向第三控制器发送的所述第一AS和/或至少一个第二AS中每个网络节点对应的第二信息,其中,所述第三控制器是所述第一控制器的上层控制器;
    接收所述第三控制器下发的所述第一路径策略。
  13. 一种信息传输装置,其特征在于,包括:
    第一接收单元,用于接收第二AS中的第二网络节点发出的第二AS对应的第一信息;或者,
    第一发送单元,用于向所述第二网络节点发出第一AS对应的第一信息;其中,
    第一信息表征对应的AS中所有网络节点的安全能力。
  14. 一种信息传输装置,其特征在于,包括:
    第二接收单元,用于接收第一网络节点发送的第一AS和/或至少一个第二AS的第一信息;和/或,
    第三接收单元,用于接收所述第一网络节点发送的所述第一AS和/或至少一个第二AS中每个网络节点对应的第二信息;其中,
    第一信息表征对应的AS中所有网络节点的安全能力;第二信息表征对应的网络节点的安全能力。
  15. 一种第一网络节点,其特征在于,所述第一网络节点位于第一AS中,包括:第一通信接口;其中,
    所述第一通信接口,用于接收第二AS中的第二网络节点发出的第二AS对应的第一信息;或者,用于向所述第二网络节点发出所述第一AS对应的第一信息;其中,
    第一信息表征对应的AS中所有网络节点的安全能力。
  16. 一种第一控制器,其特征在于,所述第一控制器与第一AS中的第一网络节点直连,包括:第二通信接口;其中,
    所述第二通信接口,用于接收所述第一网络节点发送的所述第一AS和/或至少一个第二AS的第一信息;和/或,用于接收所述第一网络节点发送的所述第一AS和/或至少一个第二AS中每个网络节点对应的第二信息;其中,
    第一信息表征对应的AS中所有网络节点的安全能力;第二信息表征对应的网络节点的安全能力。
  17. 一种第一网络节点,其特征在于,包括:处理器和用于存储能够在处理器上运行的计算机程序的存储器,
    其中,所述处理器用于运行所述计算机程序时,执行权利要求1至7任一项所述方法的步骤。
  18. 一种第一控制器,其特征在于,包括:处理器和用于存储能够在处理器上运行的计算机程序的存储器,
    其中,所述处理器用于运行所述计算机程序时,执行权利要求8至12任一项所述方法的步骤。
  19. 一种存储介质,其上存储有计算机程序,其特征在于,所述计算机程序被处理器执行时实现权利要求1至7任一项所述方法的步骤,或者实现权利要求8至12任一项所述方法的步骤。
PCT/CN2023/129104 2022-11-03 2023-11-01 信息传输方法、装置、网络节点及存储介质 WO2024094072A1 (zh)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202211370803.7A CN117997815A (zh) 2022-11-03 2022-11-03 信息传输方法、装置、网络节点及存储介质
CN202211370803.7 2022-11-03

Publications (1)

Publication Number Publication Date
WO2024094072A1 true WO2024094072A1 (zh) 2024-05-10

Family

ID=90894053

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2023/129104 WO2024094072A1 (zh) 2022-11-03 2023-11-01 信息传输方法、装置、网络节点及存储介质

Country Status (2)

Country Link
CN (1) CN117997815A (zh)
WO (1) WO2024094072A1 (zh)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101390321A (zh) * 2006-01-17 2009-03-18 思科技术公司 用于检测跨路由信息边界的无回路路径的技术
CN101860938A (zh) * 2010-04-02 2010-10-13 北京邮电大学 感知网络上下文信息实现自治路由控制的网络节点和方法
US20180343249A1 (en) * 2017-05-24 2018-11-29 Lg Electronics Inc. Method and apparatus for authenticating ue between heterogeneous networks in wireless communication system
CN109474605A (zh) * 2018-11-26 2019-03-15 华北电力大学 一种基于自治域的源网荷工控系统协同防御方法
US20190372886A1 (en) * 2018-05-29 2019-12-05 Charter Communications Operating, Llc Border gateway protocol (bgp) security measures along autonomous system (as) paths

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101390321A (zh) * 2006-01-17 2009-03-18 思科技术公司 用于检测跨路由信息边界的无回路路径的技术
CN101860938A (zh) * 2010-04-02 2010-10-13 北京邮电大学 感知网络上下文信息实现自治路由控制的网络节点和方法
US20180343249A1 (en) * 2017-05-24 2018-11-29 Lg Electronics Inc. Method and apparatus for authenticating ue between heterogeneous networks in wireless communication system
US20190372886A1 (en) * 2018-05-29 2019-12-05 Charter Communications Operating, Llc Border gateway protocol (bgp) security measures along autonomous system (as) paths
CN109474605A (zh) * 2018-11-26 2019-03-15 华北电力大学 一种基于自治域的源网荷工控系统协同防御方法

Also Published As

Publication number Publication date
CN117997815A (zh) 2024-05-07

Similar Documents

Publication Publication Date Title
US11716202B2 (en) Techniques for secure blockchain routing
US9270585B2 (en) Distributed routing table architecture and design
US20210273915A1 (en) Multi-access interface for internet protocol security
WO2021088433A1 (zh) 一种报文的处理方法,装置和系统
CN106790420A (zh) 一种多会话通道建立方法和系统
CN113055297B (zh) 网络拓扑发现方法及装置
CN103825826B (zh) 一种动态路由的实现方法和装置
WO2021128927A1 (zh) 报文的处理方法及装置、存储介质和电子装置
EP3229413B1 (en) Cross-domain cooperative method, cooperative device and control device for network as a service business
CN104243631A (zh) 一种IPv4地址与IPv6地址有状态转换的方法及设备
CN116939035A (zh) 数据处理方法、装置、电子设备以及存储介质
WO2024094072A1 (zh) 信息传输方法、装置、网络节点及存储介质
JP4638849B2 (ja) 機能分散型通信装置および経路制御方法
CN112272143B (zh) 一种路由学习和转发方法
WO2024094082A1 (zh) 一种信息传输方法、装置、节点及存储介质
WO2024094074A1 (zh) 信息传输方法、装置、相关设备及存储介质
CN114301866B (zh) 联盟链通信方法、系统、电子设备及可读存储介质
WO2024222006A1 (zh) 服务请求的响应方法、服务数据的获取方法及电子设备
WO2024160054A1 (zh) 算力调度方法、装置、相关设备及存储介质
WO2024149061A1 (zh) 信息处理方法、装置、网络设备及存储介质
WO2024174967A1 (zh) 报文转发方法、装置及系统
US20230353484A1 (en) PCE for BIER-TE Path
JP5045551B2 (ja) ルート集約装置、及び集約処理方法
JP3546328B2 (ja) 通信ネットワークのためのルータ
JP3821990B2 (ja) 暗号通信方法及びシステム

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23884998

Country of ref document: EP

Kind code of ref document: A1